CVE-2023-33956

Name of the Vulnerable Software and Affected Versions Kanboard versions prior to 1.2.30

Description The issue is related to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any other user, regardless of their privileges or restrictions. By changing the file id, any user can render all the files where MimeType is image uploaded under the /files directory, regardless of who uploaded them. This poses a significant impact and severity to the application's security, allowing an attacker to access sensitive files that should only be available to authorized users. This can lead to various detrimental consequences, such as unauthorized disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets.

Recommendations For versions prior to 1.2.30, upgrade to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the /files directory to minimize the risk of exploitation. Avoid using the file id parameter in the affected URL until the issue is resolved. There are no known workarounds for this vulnerability.